Theme

Welcome · log in · join

Search similar:

Forums → O Canada! → Canadian →

TekSavvy → Openvpn with DD-WRT, and Smartrg

uniqs
2201

« Switching DSL from Bell to Teksavvy • [DSL] Modem/router combo, dsl vs cable? »

Gorz join:2008-11-23 Lachine, QC	Gorz Member 2017-Mar-10 5:17 pm Openvpn with DD-WRT, and Smartrg I am trying to make an openvpn(client) connection using Ivacy service provider. I use two routers. My ISP is Teksavvy. Router 1, smartrg, IP: 192.168.1.1, with Teksavvy credentials Router 2, TP-Link Archer C9 flashed with DD-WRT, IP: 192.168.11.1. I have set up router 2 according to Ivacy. (with Ivacy credentials) »support.ivacy.com/kb/how ··· -router/ I set Wan Connection Type; Automatic Configuration-DHCP, in router 2. When I disable openvpn everything is OK. All devices get different IP, 192.168.11.xxx, internet is OK. When openvpn enabled, I get the message, CONNECTION SUCCESSFUL(vpn), with a page long information about the connection. All devices get different IP: 192.168.11.xxx, but NO INTERNET. At this time, I see internet is available at least up to Smartrg.(light is green) I appreciate any suggestion that makes internet working.
	· actions · 2017-Mar-10 5:17 pm ·
sc722 join:2015-08-17 D-Link DIR-815 Technicolor DCM476 ARRIS TG2472G	sc722 Member 2017-Mar-10 5:43 pm I am guessing that since the VPN is "CONNECTION SUCCESSFUL", combined with your SmartRG having internet, that it is something with the internet traffic going through the VPN. What do traces look like? How far do they go? What does routing look like? If you are using Windows devices, I would recommend ipconfig /release and ipconfig /renew after bringing the VPN up, since they don't seem to like the default route changing.
	· actions · 2017-Mar-10 5:43 pm ·
HELLFIRE MVM join:2009-11-25	HELLFIRE to Gorz MVM 2017-Mar-10 5:55 pm to Gorz 2nd what sc722 says, what's "ipconfig /all," "route print" and "tracert 4.2.2.2" show? I'm personally not sure about your apparent double nat setup... as a thought, can you install the ivacy client on just ONE machine behind the smartrg, and see if a) the VPN works and b) whether it can browse the internet? My initial 00000010bits Regards
	· actions · 2017-Mar-10 5:55 pm ·
Gorz join:2008-11-23 Lachine, QC	Gorz Member 2017-Mar-10 6:39 pm Thanks, VPN seems working. With Ivacy software installed on a PC, I could connect to VPN easily. I could also connect to VPN with two routers (TP link stock firmware, and Smartrg), but only PPTP VPN. I will find other information later, when nobody here needs internet. Do you have any idea how to connect to openvpn. I could not find working way. Even Ivacy guide (above) is vague. It does not say how and where to enter ISP credentials. Also at DD-WRT web interface, and at the WAN Connection Type, I can see Automatic Configuration, Static IP, PPPoE, PPTP, L2TP... but no OPENVPN.
	· actions · 2017-Mar-10 6:39 pm ·
sc722 join:2015-08-17 D-Link DIR-815 Technicolor DCM476 ARRIS TG2472G	sc722 Member 2017-Mar-10 6:42 pm Pretty sure OpenVPN is just a client that runs and connects to the VPN server. Your internet is still setup normally, so if using DSL (assuming your router was in bridged mode), you would have the WAN connection as PPPoE with your ISP credentials, then the VPN client connects over your WAN connection. Could be wrong though, since I have not set it up on dd-wrt.
	· actions · 2017-Mar-10 6:42 pm ·
Teddy Boom k kudos Received Premium Member join:2007-01-29 Toronto, ON 4 edits	Teddy Boom to Gorz Premium Member 2017-Mar-10 7:19 pm to Gorz I've got a very similar setup working fine, so it is possible. A recommendation for improved debugging setup.. Run a Virtual Box Guest OS where the Host computer has access to your main LAN, but the Guest OS uses a network interface that only connects to the VPN router. This way you can be online while debugging the VPN connection, copying/pasting as you go, everything goes much faster that way. I have NAT enabled in the OpenVPN client. (EDIT: Oh, and I had to drop back to a previous version of DD-WRT for some reason. r30949 didn't work, r28647 works. However, if I remember right, for me r30949 didn't give the "Client: CONNECTED SUCCESS" message at all)
	· actions · 2017-Mar-10 7:19 pm ·

Gorz join:2008-11-23 Lachine, QC	Gorz Member 2017-Mar-11 11:11 pm Thanks If switch to FTTH, could I set a DD-WRT router behind Home Hub 2000/3000 to connect tp Openvpn? Does Bell allow that?
	· actions · 2017-Mar-11 11:11 pm ·
kevinds Premium Member join:2003-05-01 Calgary, AB 1 edit	kevinds Premium Member 2017-Mar-12 3:04 am said by Gorz: ... I'm sure that if you can get it working behind the double-NAT, that Bell won't care. If you have your own router, why are you running two NAT's? Curious if there is a reason.. Their support site also gives instructions for PPTP and OpenVPN.. Does PPTP work? Can you post the log from the screen of information it posts? If internet doesn't work, I'm guessing DD-WRT isn't routing or NAT+routing it correctly..
	· actions · 2017-Mar-12 3:04 am ·
Gorz join:2008-11-23 Lachine, QC	Gorz Member 2017-Mar-12 6:48 am My understanding is that Bell Home Hub 2000/3000 does not support Openvpn. Do they really support openvpn by themselves? I do not have them to check.
	· actions · 2017-Mar-12 6:48 am ·
kevinds Premium Member join:2003-05-01 Calgary, AB	kevinds Premium Member 2017-Mar-12 6:54 am No.. They won't support OpenVPN.. But they won't care if you use it or not
	· actions · 2017-Mar-12 6:54 am ·
Gorz join:2008-11-23 Lachine, QC	Gorz Member 2017-Mar-12 7:13 am Good to know. So, I need Bell router to connect TVs, and another router to connect other devices with openvpn. Or, do some modifications...
	· actions · 2017-Mar-12 7:13 am ·
HELLFIRE MVM join:2009-11-25	HELLFIRE to Gorz MVM 2017-Mar-12 2:54 pm to Gorz said by Gorz: I will find other information later, when nobody here needs internet. Please share the requested data when you're able to gather it. Agree with sc722 that OpenVPN on the TPLINK is acting just as a client and establishes a connection to Ivacy... not sure why it would report the VPN as working -- we'd need to see the VPN debug logs -- but if double NAT's involved, I've learned all bets are off. I'm SPECIFICALLY wondering if you need to open up either TCP 443 or UDP 1194 (depending how you setup OpenVPN) on the smartrg and forward it to the TPLINK's 192.168.1.x IP address... just as a WAG* Regards Wild A* Guess
	· actions · 2017-Mar-12 2:54 pm ·
rjburke377 join:2011-08-12	rjburke377 to Gorz Member 2017-Mar-12 11:14 pm to Gorz said by Gorz: Thanks, VPN seems working. With Ivacy software installed on a PC, I could connect to VPN easily. Ya, that makes sense. Sounds like you have the second router connected to the Ivacy VPN service through router 1. The VPN LAN tunnels through the local LAN for transport. This implies VPN connected devices get DHCP gateway info from router 2 and not from router 1. This scenario is essentially two separate local networks that never talk to each other: the local LAN, and the VPN LAN. Router 1 should handle this situation with no problems. Not really a common scenario in a home environment. Running VPN on the PC essentially means your PC has two network interfaces. One for the local network, and another for the VPN. There are a lot of tricky routing rules to make certain the PC does not send traffic to the wrong network, particularly during VPN failure scenarios. The routing rules are application specific and should be supplied as a configuration / monitoring application from Ivacy. If you are trying to do something more complicated, like split routing based on device, then you may be in for a lot of pain. The routing rules get complicated when trying to handle VPN failures. Biggest issue is the very real possibility of leaking private information, like TekSavvy assigned IP address, directly to the internet.
	· actions · 2017-Mar-12 11:14 pm ·
thehammer86 join:2015-10-18 SmartRG SR505N TP-Link TC-7650 (Software) pfSense	thehammer86 to Gorz Member 2017-Mar-12 11:23 pm to Gorz said by Gorz: I am trying to make an openvpn(client) connection using Ivacy service provider. I use two routers. My ISP is Teksavvy. People need to stop doing these router behind router setups. Learn how to put your modem in bridge mode. If it doesn't allow, buy one that will and the majority of your problems will go away.
	· actions · 2017-Mar-12 11:23 pm ·
kevinds Premium Member join:2003-05-01 Calgary, AB	kevinds Premium Member 2017-Mar-12 11:34 pm said by thehammer86: People need to stop doing these router behind router setups. Can't say that enough around here.. But there are some other users who say double-NAT has no issues, that the internet works perfectly fine that way.. lol Oh well... Not going to change until the general 'techie' techs stop suggesting it as a good idea.. This is very off topic though
	· actions · 2017-Mar-12 11:34 pm ·
thehammer86 join:2015-10-18 SmartRG SR505N TP-Link TC-7650 (Software) pfSense	thehammer86 Member 2017-Mar-12 11:41 pm said by kevinds: said by thehammer86: People need to stop doing these router behind router setups. ...[outbound]internet works perfectly fine that way.. lol Just wait until he hooks up his game console and then complains mission connctrol can't contact him.
	· actions · 2017-Mar-12 11:41 pm ·
kevinds Premium Member join:2003-05-01 Calgary, AB	kevinds Premium Member 2017-Mar-12 11:42 pm But with double and tripple layers of port-forwarding.. Inbound can work too.. Just fine...
	· actions · 2017-Mar-12 11:42 pm ·
thehammer86 join:2015-10-18	thehammer86 Member 2017-Mar-12 11:48 pm I think that's called an "economic action plan!"
	· actions · 2017-Mar-12 11:48 pm ·
rjburke377 join:2011-08-12	rjburke377 to thehammer86 Member 2017-Mar-13 12:07 am to thehammer86 said by thehammer86: People need to stop doing these router behind router setups. Ya? I assume these VPN internet services essentially require double NAT. [Local Network Address Space] === [VPN Address Space] === [Internet Address Space] Do you think the VPN network should and can terminate directly on each local network device? I guess. Maybe. Seems to me that isn't possible when, for example, trying to country spoof to Netflix on media devices or applications that don't run openvpn.
	· actions · 2017-Mar-13 12:07 am ·
kevinds Premium Member join:2003-05-01 Calgary, AB	kevinds Premium Member 2017-Mar-13 12:28 am Run OpenVPN on the router, as he is trying to do, but remove the modem as a router and just use the modem as a modem.
	· actions · 2017-Mar-13 12:28 am ·
rjburke377 join:2011-08-12	rjburke377 Member 2017-Mar-13 1:05 am I think having the modem as a separate function is a good thing as well. No argument there at all. Doesn't really change anything from a routing perspective. NAT is still being done twice (except in the example where the VPN terminates at the PC application so a local private address is not necessary).
	· actions · 2017-Mar-13 1:05 am ·
kevinds Premium Member join:2003-05-01 Calgary, AB 1 edit	kevinds Premium Member 2017-Mar-13 1:10 am said by rjburke377: Doesn't really change anything from a routing perspective. NAT is still being done twice (except in the example where the VPN terminates at the PC application so a local private address is not necessary). Huh? If a modem functions as a modem, passes the internet to the router, The router does the VPN stuff, there is no NAT connecting to the VPN.. VPN can either give your router a public IP address, or a private IP address.. If your router does NAT for the devices behind it, there is still no NAT in place getting the VPN connected.. The router has an external IP, for which the services to work. If you get a private IP from the VPN provider, double NAT happens for the devices behind your router, but your router still has no NAT connecting to the VPN service. Troubleshooting things.. NAT is bad because it can/will filter and modify traffic, can't see the whole picture. This is the reason my desk phone has a public IP.. If I am troubleshooting issues, it isn't caused by the NAT on my side. Edit: NAT also modifies every packet that passes, in some cases poorly..
	· actions · 2017-Mar-13 1:10 am ·
Gorz join:2008-11-23 Lachine, QC	Gorz Member 2017-Mar-13 4:23 am Thanks for comments, Good news I used the instruction of Ivacy, and the above settings »support.ivacy.com/kb/how ··· -router/ and, I could connect to PPTP server easily. To make sure that it works, I check my IP from whatismyip. It registered a different IP from Teksavvy, ISP: Secure Internet LLC. I check speed, Speedtest Net, Full speed of 25/10, and Secure Internet LLC again. I will try L2TP, and OpenVPN later.
	· actions · 2017-Mar-13 4:23 am ·
rjburke377 join:2011-08-12	rjburke377 Member 2017-Mar-13 10:00 am said by Gorz: Thanks for comments, Good news I used the instruction of Ivacy, and the above settings »support.ivacy.com/kb/how ··· -router/ and, I could connect to PPTP server easily. To make sure that it works, I check my IP from whatismyip. It registered a different IP from Teksavvy, ISP: Secure Internet LLC. I check speed, Speedtest Net, Full speed of 25/10, and Secure Internet LLC again. I will try L2TP, and OpenVPN later. I assume you've left the "ADSL\Cable Modem to WAN" in routing mode. There are limitations to this network architecture. As you learn more you may want to consolidate the VPN onto one ISP connected gateway device that allows your "Desktop to LAN" devices to choose which gateway address you want your applications to expose to the internet: ISP vs VPN supplied. Like you've already discovered performance is usually the thing that drives this decision. Glad "easy mode" is working for you. said by kevinds: said by rjburke377: Doesn't really change anything from a routing perspective. NAT is still being done twice (except in the example where the VPN terminates at the PC application so a local private address is not necessary). Huh? If you get a private IP from the VPN provider, double NAT happens for the devices behind your router, but your router still has no NAT connecting to the VPN service. When router#2 is introduced it performs NAT on the VPN tunnel and not on the "Desktop to LAN" traffic. The "Desktop to LAN" traffic may undergo double NAT regardless ... depends on the VPN architecture. It's the nature of using internet VPN based address hiding and has nothing to do with router behind router. The entire return path discussion can get complex depending on the VPN architecture used by Ivacy. Some implementations I've seen, not necessarily Ivacy, are very restrictive when it comes to internet initiated return traffic and require an openvpn rule to be fired that opens a pinhole through the VPN NAT. said by kevinds: Troubleshooting things.. NAT is bad because it can/will filter and modify traffic, can't see the whole picture. This is the reason my desk phone has a public IP.. If I am troubleshooting issues, it isn't caused by the NAT on my side. Agree. NAT == more complex. I'm making the assumption that the VPN service is using concurrent shared internet addresses. To be fair it may not be and I'm not really super duper curious because Gorz says he is happy.
	· actions · 2017-Mar-13 10:00 am ·
Gorz join:2008-11-23 Lachine, QC	Gorz to Teddy Boom Member 2017-Mar-13 7:43 pm to Teddy Boom Good, Do you have Archer C9 v1? Do all features of router work properly with build r28647, including USBs, dual band...? Mine is build 29621, and it seems I have problems with VPN. Could I ask which VPN service provider you use?
	· actions · 2017-Mar-13 7:43 pm ·
Teddy Boom k kudos Received Premium Member join:2007-01-29 Toronto, ON	Teddy Boom Premium Member 2017-Mar-13 11:53 pm said by Gorz: Good, Do you have Archer C9 v1? Do all features of router work properly with build r28647, including USBs, dual band...? Mine is build 29621, and it seems I have problems with VPN. Could I ask which VPN service provider you use? No, I'm using EA6400. Haven't tried USB, but dual band is fine. Set up was tested on PIA.
	· actions · 2017-Mar-13 11:53 pm ·
jmurugan join:2010-10-07 canada	jmurugan to Gorz Member 2017-Mar-14 10:26 am to Gorz Hi there, Slightly offtopic. I've got Archer C9 V1 as well, and I'm currently running the 3.17.0 American (US) firmware, since that seems to be the most stable of all of them (Canadian/International firmware seems pretty bad) Since you use DD-WRT ... how is it? Looks like you use VPN, but I do not. I just have about a dozen devices scattered across my house, all on WiFi 5ghz. Do you think it's worth upgrading, in general? Edit: Also, I use teksavvy cable rather than DSL
	· actions · 2017-Mar-14 10:26 am ·
Gorz join:2008-11-23 Lachine, QC	Gorz Member 2017-Mar-14 5:26 pm TP Link made a couple of firmware for this router which were problematic. But, the last one "Archer C9(UN)_V1_160517" is flawless. I used it for few months without any problem. It supports PPTP VPN, but not OpenVPN. If you are not looking for extra functionality, stock firmware is great. Also remember that, once upgraded to DD-WRT, you cannot revert to stock firmware easily. Recently, I upgraded to DD-WRT to setup OpenVPN, but I was not fully successful. I still cannot figure out where the problem is, my setup, build number of DD-WRT, busy and non responsive serevers of Ivacy...
	· actions · 2017-Mar-14 5:26 pm ·

Forums → O Canada! → Canadian → TekSavvy	« Switching DSL from Bell to Teksavvy • [DSL] Modem/router combo, dsl vs cable? »